IT Security Interview Q&A

Q: What is access control?
A: Access control provides the mechanism for ensuring that only authorized individuals can access organizational information. More stringent access control mechanisms are needed as the value of the information to the organization increases.

Q: What is Least Privilege?
A: Least Privilege states that users should have access only to exactly the information required to perform their job duties and nothing more.

Q: How do you define confidentiality?
A: Confidentiality basically means keeping private information private. You don’t want outside competitors seeing your organization’s work in research and development, and you don’t want sensitive customer information being stolen and used for identity theft or fraud.

Q: What is integrity as it applies to information security?
A: Integrity is ensuring that information remains in the proper state while it’s being used or stored. A loss of integrity occurs if information is modified in an unauthorized manner.

Q: What is availability?
A: Availability means that information is ready and waiting, right when you need to access it.

Q: How do you define risk?
A: Risk is a combination of threat, vulnerabilities, and impact to the organization (or value). Risk exists when all three of these elements are present simultaneously. For example, if an organization knows of a threat agent with a desire to steal its critical research information and a vulnerability exists that could allow that to happen, risk is present.

Q: What is the importance of classifying data?
A: Classifying data allows an organization to differentiate between routine information types and those types that have a critical impact on how it does business. Classifying also allows management to appropriately budget for the protection of varying information types, instead of protecting everything at the same level and wasting resources.

Q: How do you describe data labeling?
A: Data labeling is intended to aid with the identification of information. After information has been appropriately identified to users, steps can be taken to ensure the security of that information; such as storage and handling measures.